How the most damaging hack In cyber history was met with little notice
The 14 largest Megachurches in the world range from the Lakewood Church in Houston Texas (45,000 Members) to the Yoido Church in Seoul Korea (253,000 Members). They all denounce homosexuality as a sin. It is comforting to note that the pastors of only two of these churches were members of Adult Friend Finder, (the online dating service and swinger personals community website for FriendFinder, Inc.), and both were searching for anonymous gay hookups. Of the 535 members of congress, only 16 Congressmen and two Senators were members of this adult website. Most were interested in BDSM (bondage). Only three were interested in gay hookups.
Of the fortune 500 corporations, fewer than 1,420 executives (directors, VPs and above) were members of Adult Friend Finder. Another 230,000 or so rank and file employees of fortune 500 companies were also members – following in the footsteps of their admired superiors no doubt. Their interests ranged widely. Of the 2,400,000 odd employees of the Federal Government, we find a measly 120,000 or so who were members. This warms my heart.
When I tell you, however, that over 90 percent of all these members accessed the website, perused photographs (mostly naked or semi-naked), sent texts and emails and shared fascinating sexual fantasies with uncountable numbers of people while on the job and while using government or corporate computers, you might raise an eyebrow or two.
The above tragically fascinating information comes from a well publicized hack of Adult Friendfinder, accomplished last week by “ROR[RG]”, a hacker living in the beautiful and magical city of Bangkok, Thailand. This was absolutely not the first hack of Adult Friend Finder. I am personally aware of seven previous hacks and there are rumors of dozens, if not hundreds of prior hacks.
An extraordinary leak, but not unique
I need to make something perfectly clear. The hacks that reach public awareness are extremely rare. For a hack to reach public awareness someone has to make a serious mistake, or they are demanding money or some other asset or, in the case of ROR[RG], they have an ax to grind. ROR[RG] insisted that Adult Friend Finder (the company) owed a friend of his nearly a quarter of a million dollars. He wanted his friend to get paid, so he went public. I would estimate that for every computer hack that reaches the public’s knowledge there are 100 hacks that go unnoticed.
All previous hacks of Adult Friend Finder that I am aware of were done by hackers who simply wanted to know whether their girlfriend, or boyfriend was possibly cheating on them. Hacks of this nature seldom reach the Surface Web, and thereby, the attention of the press. For an adept hacker, Downloading the entire Friend Finder database is no more difficult than going to the library and checking out a book. It’s not that Friend Finder has substandard security, it’s simply that very little, to a determined and talented hacker, is immune to access.
Ransom for the info
I am not a top notch hacker, but I did spend most of my life attempting to stop hackers from accessing or damaging data. It was my job. As part of my job, I had to know how hackers did their jobs and became moderately good at it. It may sound devious or somehow over the line, but would you buy a lock from a lock manufacturer that professed to know nothing about how a lock is picked? I would not.
Anyway, with my limited talents I could easily have walked into the Friend Finder database and collected the same thing that ROR[RG] collected and, using it for analysis, written my story. That would have been illegal however. Instead I went to ROR[RG]’s area where he had placed the data. As usual, being a day late and a dollar short, by the time I knocked on the door he was selling incomplete segments of the database for non-exclusive use for $16,000. That’s more than I make for an article, so paying him (he wanted bitcoins by the way) was out of the question. I briefly considered barging in, grabbing what I needed and taking off without leaving any trace, but, let’s face it, he wanted money for it, so I would be committing theft. Part of me kept nagging that Google does the same thing with nearly everyone on earth a billion times a day – stealing our personal data — but such reasoning is the first act of making a criminal. Google may commit whatever crimes it likes. It doesn’t mean that I have to follow suit.
Turning to the concept first proposed in the movie Minority Report, where people were detained by acts called “Pre-Crime”, I contacted a friend of mine who had sucked up a copy of the database before ROR[RG] had a chance to lock it down and begin asking for cash. I can only assume that this would be classified as pre-theft and, according to Federal and State statutes, pre-theft was not yet a crime. I simply asked my good friend – Andrew Aurnheimer – @rabite on Twitter (he demanded I include his name and handle). He gave me access and I began to analyze it.
Getting the data
This whole affair raises complex questions about ethics and morality of which my brain is not qualified to deal. If someone steals data, then demands cash for it, and one refuses to pay, it gets tricky. I did not need to pay, because I could have accessed the exact same data from Adult Friend Finder as easily as a ten year old child with a first grade hackers manual, with absolutely zero chance of getting caught. However I did not want to steal from Adult Friend Finder, no matter how simple the task or how impossible it would have been to track me. I was then faced with stealing it from the man who stole it to begin with. I’m not clear on what rights to possession he may claim, but I didn’t want to test it. And then there’s Google – sucking up data which rightly belongs to us, constantly in front of the eyes the law with no repercussions. Anyway, my brain reels. Let’s get back to our story.
The key to my analysis of the data was the inclusion of the I.P. address accompanying each login. There were, or course, handles, valid email addresses, age, city and state, sex, race and other key identifiers included in the database, but these can be bogus. An I.P. address can only be hidden by passing communication through one or more proxy servers. I have a real time database of all underground proxy servers, as well as all legitimate corporate and government proxy servers, and I can generally work backwards and find the real IP address. When I cannot, I resort to the same tactic I used to gain access to the Adult Friend Finder database above. I use my name. It’s odd how simply naming a successful company after yourself changes people’s perspectives. Add to that the fact that for two dozen years I actively fought the underground hacking world. A grudging mutual respect emerged over time that at some point turned into a warm friendship. I was even invited to keynote DefCon in August of last year in Las Vegas, which I accepted. And received a standing ovation. What I’m trying to say is that I can call the owner of a proxy network used for underground, anonymous trafficking in, for example, the Cayman Islands, or anywhere for that matter, introduce myself and ask him to turn over his data to me with the promise it will not be disseminated and he will not be named. I am, at the very least, well known for keeping my word. The data is usually turned over to me without question.
What was inside the data and what it means
Few of the IP addresses in the Adult Friend Finder database were hidden. This was the strangest thing about the hack. You would think that a U.S. congressman, communicating with a young woman about the type of bondage equipment he wanted her to use prior to whipping him with a cane – while on his office computer — might think twice about the pitfalls of ignoring the tools of anonymity that my thirteen year old daughter uses with ease. But no.
It’s time to get to the meat of this hack. I could care less about who sleeps with whom and what nameless acts may occur between them. To be frank, the older I get the funnier sex looks to me, and the less important sex seems as a judgment of character. However, my attitude isn’t in the majority viewpoint.
ROR[RG] is asking approximately $16,000 for partial, non-exclusive access to the data that he holds. However, rumor is rampant deep in the Dark Web that an unnamed country has offered him $25 million for exclusive access to the non-redacted database. Why, you might ask?
Here is the answer:
used gov email address, but their own IP addresses
Handle verywilling2011 r******s@augustaga.gov Hrdcore44 j****.k****r@indy.gov Eaglesfan_6969 W*****m.*****son@Dhs.gov VuDuDado c********er.****ry@va.gov stormvet224 j*****y.****e@leo.gov lirk1251 k*****@plano.gov
——————————————————————————————————
used gov ip and their own email addresses
Handle IP Location cavcam20 c*********er@msn.com 132.79.10.15 Fort Huachuca, United States JPDanger3 fr*******hy@gmail.com 131.122.33.187 Navy Network Information Center (NNIC) Virginia Beach, VA TheRealSteve2 S*******20@hotmail.com 131.122.52.135 Navy Network Information Center (NNIC) Virginia Beach, VA 22drew88 dr*****mp@aol.com 204.34.240.100 Clients.usnbgtmo.navy.mil City Clutch42Single p****o@yahoo.com 132.79.7.15 hvaarlngwc01.ngb.army.mil City ——————————————————————————————————
used gov ip and gov email
Handle Domain Vshah6762 v****y*******@nasa.gov nasa.gov Hitit1972 E******@llr.sc.gov llr.sc.gov gaygay61 jo******dy@ssa.gov ssa.gov cHrisdaha m***.*****m@houstontx.gov houstontx.gov Hughojh J****es@law.nyc.gov law.nyc.gov jgarch g***o***@michigan.gov michigan.gov superfun41 g*****y.****o****@njwg.cap.gov njwg.cap.gov musicman6009 j***e@ncua.gov ncua.gov
High ranking officials within every agency of the U.S. Government, not to mention six U.S. state governors and 18 members of Congress, and countless aides to the same people, are all members of Adult Friend Finder. Nearly all of these officials are married with children. Imagine what would happen if Russia, or China got hold of this information. They would certainly not demand money to keep quiet. No — each of these people would be visited by a warm-hearted, well-dressed, kind and empathetic person whose conversation would go like this:
“We are so sorry that you got caught up in this nonsense, and we realize that it in no way taints your character or value as a productive citizen. Frankly, I myself have done far worse. We, in Russia, take a more practical view to such issues. They are not important. We have done what we can to keep your name out of this sad affair and can guarantee it will never come to light. That would help no-one, and we wish to hurt no-one. So you have a friend in me, and a friend in the Country of Russia. I believe I could even help you gain power and prestige in your own country. I am privy to much that is happening behind the scenes in Russia and would be willing to advise you on affairs that impact both or our countries. You may call me at any time. In fact, the vote coming up in July is one such issue that I can give you good advice on. Please call me.”
Can’t happen, you say? I say that nothing will prevent it from happening. If this hack was not the potentially most damaging hack we have experienced, then prove me wrong and I will eat my shoe.
photo credit: John McAfee
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU